Well, 1995 has started. It is customary in many circles to reflect on the year
past and look ahead to the new year present. We can't look back too far but we
can certainly look ahead.
As I have been reading the Virus-L digest I see the ever increasing problem of
the viruses, hacks and Trojans. Basic precautions are needed but seem to be
neglected. Promise yourself that the new year will start new habits.
Backup your files.
Set yourself up with a tool box to help you prevent being in the position where that report that is due tomorrow isn't lost because you can't get to it, or even worse, has been destroyed. Take the few minutes it takes to set up an integrity program, and a scanner that meets your requirements. LEARN them and talk with others that use the same ones and find out what works for them so you can establish a system of your own.
Backup your files
Get yourself into a virus conference on one of the many conferences offered out there. Keep you eyes open for warnings of virus infected programs, hacks or Trojans.
Backup your files
Keep those files you just downloaded in a separate directory where you can uncompress them and scan them before you run them. As sure as I am writing this article, the first time you say "I'm sure this is safe" is when you will get hit.
And finally, BACKUP YOUR FILES!!!
"The best defense is a good offense"
I hope 1995 is a good year for all. Remember, keep those scanners going!! :-)
Editor's Note: Mr. Mikko Hyppönen, of Datafellows LTD, was kind
enough to allow The Scanner to use articles from his F-PROT Bulletins in
this issue and others to follow. We thank him for his generosity and help in
making The Scanner a more professional newsletter.
Polymorphic viruses employ code alteration and encryption to hide themselves from scanners. Their usual tactic is to encrypt the main part of their code with a variable key and leave only the decryption executor unencrypted. The decryption code is altered during every infection to prevent detection with a search string.
However, it takes considerable skill to design a polymorphic virus. This kept the number of true polymorphic viruses quite small for a relatively long time. Of course, this couldn't last forever: At some stage, the heavyweights of the virus trade took notice and came to rescue their less skilled brethren by writing and distributing polymorphic generators.
The first all-purpose polymorphic generator was the Mutation Engine, or MtE. Published in 1991, capable of billions of different permutations, linkable to any virus, it heralded the age of instant polymorphism. Today, there are 33 different viruses which are known to use the MtE.
Other polymorphic generators followed in MtE's wake. The next two appeared late in the year 1992. They were the TridenT Polymorphic Engine (TPE) and NuKE Encryption Device (NED).
TPE was written in the Netherlands. In principle it is capable of producing smaller number of different permutations than the MtE. However, it created detection problems for antivirus products because the decryptors it creates are more generic than those produced by MtE. NuKE's generator wasn't quite as advanced, but unlike most other polymorphic generators, it was distributed as readable source code instead of an object module.
Other known polymorphic generators are Dark Angel's Multiple Encryptor (DAME), Darwinian Genetic Mutation Engine (DGME), Dark Slayer Mutation Engine (DSME), MutaGen, Guns'n'Roses Polymorphic Engine (GPE) and Dark Slayer Confusion Engine (DSCE).
These generators are typically distributed via underground networks, virus exchange BBSs and private areas in the internet.
It should be noted that the generator itself does not care in which kind of a program it is linked to. The known polymorphic generators are clearly written to be linked to viruses, but in principle they could be used in other kinds of programs as well.
When a virus that employs a polymorphic generator is infecting a program file (or some other object), it requests the generator to create an encrypted copy of the virus code and the generator itself. Besides performing the encryption, the generators also create a decryptor - a routine which is able to undo the encryption applied to the actual virus code.
The generators often use relatively simple encryption techniques. However, they do change the encryption key during every execution. This alone makes the detection of such a virus difficult, but encrypted viruses retain one Achilles heel: the decryption routine, which must remain unencrypted if it is to be executable. Thus, the true effectiveness of a polymorphic generator is measured by its ability to mutate the decryption routine.
All polymorphic generators need some kind of a randomization routine in order to create different algorithms each time. Some of the generators allow the virus programmer to substitute his own randomization routines instead of the original one.
Polymorphic generators are able to create completely different encryption methods and a wide variety of different decryption routines for them. They modify their decryption routines by such means as shifting the commands inside the routine around, adding ineffectual commands in random places and using different processor registers and opcodes.
The basic idea is to make the binary image of the decryption routine totally different between different infections. All this makes it impossible to search for the decryption routine with fixed search strings - there is no search string that could always be found in infections made by a polymorphic virus.
How does a virus using a polymorphic generator infect a file?
One of the reasons for this is that a generator must be linked to the program to be encrypted, and since the operation requires changes to the program itself, some programming experience is necessary. This alone places the generators out of the reach of the run-of-the-mill virus enthusiasts. Unfortunately, the generators usually come with detailed instructions on their use, so that virus aficionados with even limited experience of assembly programming can easily use them.
Another limitation is the generators' size. Although the generators are quite small in themselves, they do increase the size of viruses by some amount. This makes it difficult to link them to boot sector viruses, which have limited code space. No generator-masked boot sector viruses have been found. With the exception of V-Sign (a mildly polymorphic boot sector virus), polymorphic capabilities seem to be the privilege of file viruses.
Of course, the advantage that viruses get from polymorphic generators is somewhat questionable. If an anti-virus program is able to recognize the presence of a particular generator, it is usually able to detect all viruses masked by it.
As polymorphic generators vary a lot, a different algorithm is needed for each generator - and in order to build such algorithm, the generator will have to be studied closely.
However, the algorithmic methods have a certain weakness: they are prone to false positives. The program structures employed by polymorphic generators can be very random. This means that similar structures sometimes occur inside legitimate program code. False alarms may crop up especially if data files are also included in the search, because they typically contain data similar to the random 'garbage-code' which the generators produce. It is relatively easy to create an algorithm that will find all infections created with a polymorphic engine, but if the algorithm would also flag a large amount of clean programs as infected, it is useless.
Checksumming has its drawbacks, too: checksummers suspect all changes that happen inside a system, and occasionally give warnings of ordinary programs which alter their own code. Nowadays, checksummers are usually equipped with an exclude-list and a heuristic faculty to prevent this from happening.
Although theoretically able to detect all changes to a system, checksummers are vulnerable to stealth viruses. If such a virus is active in a computer's memory, it is able to hide all the changes it has made. When stealth viruses are involved, checksummers base their calculations on false data, and will consequently find everything to be in order. It should be noted that polymorphic viruses which also stealth their presence are very rare, simply because they are technically difficult to create.
This method works against some polymorphic generators with great success, but is difficult to implement for others.
The algorithm-based detection mechanisms against polymorphic viruses tend to have problems with false alarms, but these can be overcome by designing the detection engine carefully. One advantage of algorithm-based detection is that, once a detection engine is able to detect a certain polymorphic generator, it will probably detect all viruses utilizing it.
A decryption-based detection mechanism can only detect those polymorphic viruses that have been analyzed by the creator of the antivirus product, but it is very unlikely to produce false alarms. Furthermore, such a mechanism is also able to detect the exact variant of the virus in question - this is something that most algorithm-based detection methods are unable to do.
Though revolutionary in its time, Mutation Engine is currently somewhat outdated. Practically all anti-virus products can detect MtE-hidden viruses. Nevertheless, MtE continues to be a source of inspiration for people aspiring to write polymorphic generators - for example, almost all generators written after MtE mimic the documentation provided with MtE.
MtE v0.91's size is 2048 bytes.
To date, four versions of TPE have come out. The author has implied that he considers the product finished, and will not write further versions. The later versions of TPE are highly complex, making it one the most advanced polymorphic generators in the world.
TPE version 1.1 was technically advanced, but it contained bugs which made it incompatible with some processor types. Versions 1.2 and 1.3 corrected this problem. The last version, 1.4, introduced an improved, highly complex encryption method, which makes TPE-hidden viruses difficult to identify by using decryption-based detection methods.
TPE takes up about 1.6 KB. Presently, it is known to be linked to 10 different viruses.
Unlike most other polymorphic generators, NED was distributed as source code. This, of course, makes it easier for other virus creators to modify the generator, but so far only a single version of NED has been found. The generator's documentation expressly forbids its distribution outside NuKE itself, but it has obviously been in wide distribution.
NED version 0.90B takes up 1355 bytes. It is known to have been linked to two different viruses.
Dark Angel published his generator during the summer of 1993 in issue 11 of Phalcon/SKISM's magazine, 40Hex. Dark Angel has also written the two virus creation toolkits published by Phalcon/SKISM, the PS-MPC and G2.
Like NED, DAME was distributed as commented source code. Along with the generator, Dark Angel published an article which dealt with polymorphism and the writing of polymorphic generators in general.
Dark Angel was apparently not completely satisfied with his initial product, because he introduced an improved version of DAME in the next issue of 40Hex.
The first version of DAME, 0.90, took up 1574 bytes. The improved 0.91 version had grown to 1960 bytes. Dame is known to have been linked to two different viruses.
Interestingly, DSME contains documentation both in English and Chinese. The author sends greetings to Dark Avenger and Nowhere Man and thanks for the inspiration he received from earlier polymorphic generators.
DSME is not as advanced as the generators produced before it. Dark Slayer admits this in his notes. The actual size of the generator is little over 2 kilobytes.
At the moment, only one virus is known to use the DSME.
At the moment, there are four different versions of MutaGen in distribution. Each successive version is more complex than the previous ones. Their sizes range from 1032 bytes to 1385 bytes. In MutaGen's documentation, MnemoniX criticizes the other polymorphic generators for being too unreliable and easy to detect.
MnemoniX himself has published two different viruses which utilize the MutaGen generator, but otherwise the response of the virus underground to this new generator is unknown.
In the generator's documentation, the author prohibits the use of the generator in viruses and other malicious software. He claims to have developed GPE solely for the purpose of protecting data and programs from unauthorized use. These claims are lent some credence by the fact that the author has included his apparently real name and phone number in the introductory notes.
Version 1.00 of the Guns'n'Roses Polymorphic Engine was released in March 1994. So far, the generator is not known to have been linked to any virus. It's size is about two kilobytes.
A file that demonstrated DSCE's abilities was sent to F-PROT Professional Support during April 1994. Deductions based on this demo indicate that DSCE is a rewritten version of DSME, and capable of creating far more complicated samples.
Source: F-PROT Bulletin 2.14.
Editor's Note: Mr. Bill Hoover of Virus Research and Statistics in
Indianapolis, Indiana is a new member of The Scanner's contributing
authors and researchers. We welcome him aboard and look forward to working
with him more in the future. At publication time The Scanner learned
that Bill has just recently been hired as a programmer/analyst for a client
server based company called Support Net in Indianapolis, Indiana. CONGRATS
Bill, and good luck. TRON and HIDER are two viruses Bill has researched. The
following are his reports on the two viruses:
From taking a quick look at it and testing it on an isolated computer, it seems to be a resident *.COM infector including COMMAND.COM and the infected files increase by 754 bytes.
Upon executing an infected program, the virus will go resident and hook interrupts 8 (system timer), 16 (keyboard), 21 (Dos Functions) and 22 (Dos Terminate address) and infect *.COMs when they are executed. Seems to also play around with the keyboard a bit, and adds 1 to the ANSI value of the 6th typed character. For example, 'xxxxxx' becomes 'xxxxxy' and 'aaaaaa' becomes 'aaaaab'.
Although F-Prot 2.14 detects it, users can use the scan sig below to detect it since it is present in all infected files (at least the ones I tested):
0E 1F BE 18 01 46 81 3C 54 52 75 F9 81 7C 02 4F 4E 75 F2 83 C6 04
In addition, the text 'TRON' can be found within infected programs, and the infected program's name appears in the interrupt chain and as resident in memory.
The 'Hider / Anston Rant' virus was submitted to Virus Research & Statistics on 10.08.94 via the Prodigy Service by a user of Prodigy.
The virus is a non-resident direct action parasitic infector of *.COM/*.EXE files using a standard method of appending the viral code to the end of the infected program(s) and adding a JMP command to the beginning of the infected *.COM files.
The virus seems to use a very effective traversal scheme which will search relentlessly until it infects 3 *.COM and 3 *.EXE files or until no more candidate files are found.
Infected files will increase by 1782 bytes with the virus being appended to the end of the infected files and the original file's time and date stamps will not be changed from their original state.
Infected files will contain the following message :
Anston Rant is back for more!The user who submitted a sample of this virus stated that on the 13th day of any month, the virus would 'hide' all files and directories located within the root directory and the files could be safely recovered by using the ATTRIB -H *.* command. However, during my tests, no files or directories were 'hidden' and the virus merely continued to infect non-infected files and displayed the message listed above.
Whoa, looks like you be missing some files there, Bud!
Generation 1 samples of the this virus can easily be detected using the following scan sig:
BF 03 02 06 1E 06 89 FE 81 EE 00 01 32 E4 B9 CB 06 BB 00 00In addition, infected *.COM / *.EXE files can be detected by :
06 1E 06 89 FE 81 EE 00 01 32 E4 B9 CB 06 BB 00 00 2E 8A 04In the current form, this virus does not contain an encryption scheme and will easily be detected by using the above scan sigs added to F-Prot or any other AV product that supports external user defined scan sigs.
Tron and Hider / Anston Rant virus tech-specs provided by :
Preliminary analysis of Nympho Mitosis virus by W.H. (Bill) Lambdin:
Name ] Nympho Mitosis 2.0
Size ] 787 bytes
Infects ] .COM and .EXE files including COMMAND.COM.
Scan string ] 33 FF 8C C0 48 8E D8 38 3D 75 44 88 1D 83 6D 03
In the wild ] Unknown
]
A-V ] This virus has been forwarded to the following; Vesselin
] Bontchev, David M. Chess, Spencer Clark, Eugene V.
] Kaspersky, FRISK, Dr. Alan Solomon, Wolfgang Stiller,
] Frans Veldman, Tarkan Yetiser. Dmitry O. Gryaznov
Armored ] no
Detected ] Yes
Encrypted ] No
Interrupts ] Hooks interrupt 21h
Load Address] 9FBDh
Marker ] The virus places an 8 in the last column of the seconds
] field of the time stamp to mark infected files. When
] Nympho Mitosis disinfects a host file, 02 in placed in
] the seconds field of the time stamp.
Polymorphic ] No
Resident ] Yes
Size in RAM ] 1088 bytes
Stealthed ] Fully stealthed, but very unusual, the virus removes
] itself, when an infected file is opened, but does not
] re-infect when the host file is closed.
Text ] [Nympho Mitosis] v2.0 Copyright (c) 1993 Memory Lapse
] Phalcon/Skism Canada
Type ] Infects .COM & .EXE files, and the virus is appended to
] the end of the infected host files.
Unusual ] Does not trap errors. So DOS reports a write protect error
] when trying to run a file from a write protected diskette.
The following message was taken off of the WildNet Virus conference 19 December
1994:
Date: 12-16-94 Msg # 98 To: ALL Conf: (125) Virus'-WN From: ROBERT KEMPER Stat: Public Subj: WARNING WARNING WARNING Read: YesThanks Robert, great catch!! The staff at The Scanner went into action and went looking. We found this program on 8 CDs total in our area and made the proper notifications to the sysops. Here they are the CDs and the areas the program was found in:
I discovered a Trojan on the Software Vault Gold Collection CD. Under the utilities section is a supposedly shareware virus scanner that will damage any disk you attempt to scan. The file name is SCCL100.zip DO NOT ATTEMPT TO RUN THIS PROGRAM! I have notified American Databankers Corp and they have confirmed that this program is designed to damage disks and will be removed from future CD's. Copyright 1994 Robert L. Kemper Jr. --- * TNet 3.60 * WILDNET: The Right Note! - MUSIC ORIENTED BBS - 502-452-1453
CD Title Area ----------------------------------------------------------- Shareware Vault Gold Virus Detection and Prevention Shareware Studio #4 Virus Tech Arsenal Anti-Virus Utilities Cream of the Crop II Virus Prevention Hobbes OS/2 MAC File Viewers Best of Bizzness '94 Virus Utilities Best of Shareware '94 MAC File Viewers Night Owl #9 Virus Night Owl 10 VirusEditor's Note: Thanks to Jerome Priest - SYSOP of THE Busy Body BBS, W. Branch, MI, we added Night Owl #10 to the list. Thanks Jerome!
The file is 709180 bytes with a file date of 05-26-93. This program claims to be a virus scanner.
The program will start out asking you what drive you want to scan. Upon entering a drive letter you are immediately taken to a screen where the alleged scanning is taking place. The unsuspecting victim will observe a Scanning box and a Status box on the screen. As the Scanning box fills (Showing the percentage of the disk that is scanned ) the status box shows the message: "Scanning Memory ...."
Once the Scanning box reaches 100%, the status box then reports "Memory appears to be clean ....".
Now the program performs the alleged disk check. The Scanning box once again will display the percentage of the disk being scanned and the status box displays the following message: "Now performing check on disk.... Please Wait ...."
Now the fun begins. The Scanning box will go the screens width several times and the then stop. The Status box displays the following message: "Uh Oh....Virus Detected...."
Upon hitting the return button this message comes up: "Trying to gain control of vital areas...."
After a few seconds the final message comes up as: "Cannot destroy virus !!!!"
The system is waiting for a RETURN from the user. The light on the A: drive goes on and the damage is now in progress. After the drive stops, the system is locked up. The system needs to be rebooted again. After rebooting, the unsuspecting user then looks at the disk in the A: drive to see if the "virus" has been removed only to find the disk rendered useless.
That, folks, is a TROJAN. A program that claims to do something, but in reality does something else unbeknownst to the user.
Editor's Follow-up: I have personally verified each program off of each CD. I am doing more follow-up because the file sizes are not all the same, yet, the same action occurs in each program. The EXE file is the same size in each program 5599 bytes. The SCCL100.DAT file is always 702383 bytes. Prior to doing a scan on a disk the following files are in the directory of the SCCL100 program:
SCCL100.DAT 702383 05/26/93 18:57 SCCL100.DOC 1497 05/26/93 19:27 SCCL100.EXE 5599 05/26/93 18:58After executing the program the following files are added:
SCANNER.DAT 140392 <Date program was run>
The Internet information provided is concise, and provides a good, if fairly standard, starting point. Those new to the Internet should plan to spend some time practicing the various applications, or might want to look for more detailed guides in areas of interest. The coverage is quite broadly based, though. The email chapter, for example, goes into some detail on the use of UUENCODE to send binary files, an often neglected topic.
While the advice to avoid troublesome items such as unsolicited mail and mass advertising mailing is good, there could be much more in the way of specific business advice. The choice of Internet provider only asks whether they provide all the Internet services you require, without analyzing the need for an information provider to set up anonymous ftp, gopher or World Wide Web servers. The chapter on an Internet business plan really only looks at a standard planning tool, with a few line items added for Internet service costs.
This work should provide an adequate starting point for those interested in launching a business with support from Internet tools. Those who do should, however, spend some time getting used to the net, before rushing in.
Savetz maintains a number of such lists, so it is natural that his Internet guide is written in this style. Question 1.2, in the introduction, in fact, asks whether the world needs another Internet book. He feels that his guide has a distinctive, and that the question and answer style makes a fundamental difference to the work.
I'm not sure that the difference is fundamental, but I do think it was a valuable exercise, and produced a worthwhile book. The need to answer the questions keeps sidetracks and diversions to a minimum. The "frequently" part also helps keep the book focussed on what most people want; the question, however, gives the book some added breadth. I note some questions which I am certainly asked often, and which many Internet guides fail to answer.
The questions are all listed at the beginning of the book, forming a type of expanded table of contents. This is less helpful than one might suppose, since one needs to know the area that the question might appear in.
Overall, a concise and informative starting guide, well worth consideration.
Editor's Note: I have recently purchased a copy of Rob's book Robert Slade's Guide to Computer Viruses and highly recommend it to anyone wishing to take serious steps in learning the basics of computer viruses and procedures to arm themselves against them. It is well written and quite informative. Hopefully, I will have completed it by the next issue and look forward to giving you the "scoop" in detail. :-)
In the last issue of The Scanner we featured the GOLD-BUG virus. In the
"gouge" we included in the article, two companion viruses of GOLD-BUG were
mentioned. The DA'BOYS virus and the XYZ virus both, accompany the GOLD-BUG
virus. All three of these viruses are written by an individual named "Q" the
misanthrope. Well, the "Q" library is growing. I guess if we have to have virus
writers that turn their creations loose on the world we might as well have one
that will at least send the code and the removal instructions as well! :-)
Virus Name: DA'BOYS
Aliases: DALLAS COWBOYS
V Status: New, Research
Discovery: January, 1994
Symptoms: Possible diskette access problems; BSC; Infected disks fail to
boot on 8088 or 8086 processors; No COM4.
Origin: USA
Eff Length: 251 Bytes
Type Code: BORaX - Resident Overwriting Boot Sector and Master Boot Sector
Infector
Detection Method: None
Removal Instructions: DOS SYS
General Comments:
When a disk is booted with the DA'BOYS virus, it will load itself into a "hole" in lower DOS memory. CHKDSK will not show a decrease in available memory. INT 12 will not be moved. The DA'BOYS virus code is written in the "Non-System disk or disk error Replace and press any key when ready" string. But it will display the above message by using the code found on the hard disk DOS boot sector. It will then infect the DOS boot sector (not the partition table) of the hard disk and overwrite the "Non-System ... " text string with it's code.
The DA'BOYS virus does not damage any data. It disables COM4. The text string "DA'BOYS" appears in the virus code but is not displayed. The DA'BOYS virus has a companion virus that it works with. The GOLD-BUG virus is also a boot sector infector. It is possible to have a diskette with two boot sector viruses. GOLD-BUG hides the presence of the DA'BOYS virus from the Windows 3.1 startup routine. GOLD-BUG removes the DA'BOYS virus from the INT 13 chain at the start of Windows and restores it when Windows ends.
It can be removed from diskettes and hard disks with the DOS SYS command.
Virus Name: XYZ Aliases: X-AMINE YOUR ZIPPER V Status: New, Research Viron Discovery: September, 1993 Symptoms: None - Pure Stealth Origin: USA Eff Length: 440 Bytes Type Code: OReE - Extended HMA Memory Resident Overwriting .EXE Infector Detection Method: None Removal Instructions: See Below
General Comments:
The XYZ virus will only load if DOS=HIGH in the CONFIG.SYS file. The first time an infected .EXE file is executed, the virus goes memory resident in the HMA (High Memory Area). The hooking of INT 13 is accomplished using a tunnelling technique, so memory mapping utilities will not map it to the virus in memory. It then reloads the infected .EXE file, cleans it on the fly, then executes it. After the program has been executed, XYZ will attempt to infect 15 .EXE files in the current directory.
If the XYZ virus is unable to install in the HMA or clean the infected .EXE on the fly, the virus will reopen the infected .EXE file, remove itself, and then write the cleaned code back to the .EXE file. It then reloads the clean .EXE file and executes it. The virus can not clean itself on the fly if the disk is compressed with DBLSPACE or STACKER, so it will clean the infected .EXE file and write it back. It will also clean itself on an 8086 or 8088 processor.
It will infect an .EXE if it is executed, opened for any reason or even copied. When an uninfected .EXE is copied, both the source and destination .EXE file are infected.
The XYZ virus overwrites the .EXE header if it meets certain criteria. The .EXE file must be less than 62K. The file does not have an extended .EXE header. The file is not SETVER.EXE. The .EXE header must be all zeros from offset 72 to offset 512; this is where the XYZ virus writes its code. The XYZ virus then changes the .EXE header to a .COM file. Files that are READONLY can also be infected.
The text string "XYZ" and "ZYX" appear in the virus code but are not displayed.
The XYZ virus has a companion virus that it works with. The GOLD-BUG virus also goes memory resident in the HMA and reserves space for the XYZ virus.
To remove the virus from your system, change DOS=HIGH to DOS=LOW in your CONFIG.SYS file. Reboot the system. Then run each .EXE file less than 62k. The virus will remove itself from each .EXE program when it is executed. Or, leave DOS=HIGH in you CONFIG.SYS; execute an infected .EXE file, then use a tape backup unit to copy all your files. The files on the tape have had the virus removed from them. Change DOS=HIGH to DOS=LOW in your CONFIG.SYS file. Reboot the system. Restore from tape all the files back to your system.
If you find any interesting or humorous articles related to computers, hackers,
Trojans or even viruses, let us know. China seems to be a topic of interest so
far as hackers and hacks go.
Source: F-PROT Bulletin 2.09. Copyright (c) 1993 Data Fellows Ltd.
In 5 Dec 1994 issue of the Daily Telegraph (UK newspaper), p23:-
A new virus doing the rounds in China is perplexing the party faithful. When it strikes, a question appears on the screen: "Do you think Li Peng is a good prime minister?". If the operator answers "no", then the message disappears and the system is left untouched. On the answer "yes", however, the virus wipes the entire hard disk.
Source: Virus-L Digest Volume 7 Issue 100
File: PKZ305.EXE
Problem: Hacked
Reported By: Fido Virus_Info Conference
File: DOOM2CHE.ZIP
Problem: Virus Infected
Reported By: Mike Karina of Biloxi, Ms.
File: SF2_UP.ZIP
Problem: Virus Infected
Reported By: Fido WARNING Conference
This file can be found on the Night Owl 10.0 CD. It is infected with the Lapse_366 virus. The staff of The Scanner found this file and verified the virus is still present. Fridrik Skulason verifies the virus on this file in the F-PROT virus information files.
File: SPORT21C.ZIP
Problem: Virus Infected
Reported By: Fido WARNING Conference
This file can be found on the Night Owl 10.0 CD. It is infected with the Crusader variant of Butterfly. The staff of The Scanner found this file and verified the virus is still present. Fridrik Skulason verifies the virus on this file in the FP virus information files.
File: SCCL100.ZIP
Problem: Trojan
The Monkey virus was first discovered in Edmonton, Canada, in 1991. The virus
quickly spread to USA, Australia and UK. Monkey is one of the most common boot
sector viruses.
As the name indicates, Monkey is a distant relative of Stoned. Its technical properties make it quite a remarkable virus, however. Like Stoned, the virus infects Master Boot Records on hard disks and DOS boot records on diskettes. Monkey spreads only through diskettes.
The original Stoned leaves the partition table in its proper place in the hard disk's zero track, but Monkey does not. Instead, it copies the whole Master Boot Record to the hard disk's third sector to make room for its own code. The hard disk is inaccessible if the computer is booted from a diskette, since the operating system cannot find valid partition data in the boot sector - attempts to use the hard disk result in the DOS error message "Invalid drive specification".
When the computer is booted from the hard disk, the hard disk can be used normally because the virus is executed first. The virus can, therefore, escape notice, unless the computer is booted from a diskette.
As Monkey not only moves but also encrypts the Master Boot Record, it is difficult to remove. The changes to Master Boot Record cannot be detected while the virus is active, since it reroutes the BIOS-level disk calls through its own code. Upon inspection, the hard disk seems to be in its original shape.
There are two often-used procedures, either of which can disinfect most boot sector viruses. One of these is the MS-DOS command FDISK /MBR, which rewrites the code in the Master Boot Record, and the other is using a disk editor to restore the Master Boot Record back on the zero track. In this case, the relocation and encryption of the partition table render these methods unusable. Although both procedures destroy the actual virus code, the computer cannot be booted from the hard disk afterwards.
There are five viable ways to remove the Monkey virus:
The virus is difficult to spot, since it does not activate in any way. A one-kilobyte reduction in DOS memory is the only obvious sign of its presence. The memory can be checked with, for instance, DOS's CHKDSK or MEM programs. However, even if MEM reports that the computer has 639 kilobytes of available memory instead of the more common 640, that does not necessarily mean that the computer is infected. In many computers, BIOS allocates one kilobyte of DOS memory for its own use.
F-PROT recognizes and removes all known variants of the Stoned.Empire.Monkey virus.
Monkey: (Description quoted from Integrity Master User's Guide)
Synopsis: Resident, stealth infector of floppy boot sectors and partition sectors
Symptoms: Inaccessible hard disk after floppy boot, 1K less available memory
Details: Monkey is unusual in that it completely replaces the partition sector with its own code. If you boot from a floppy the hard disk will be inaccessible since there is no valid partition table in the partition sector. If the virus is resident in memory, it will use stealth techniques to return the original unmodified partition sector.
Once Integrity Master (AKA IM) is installed, removing Monkey is trivial. It will detect the virus in memory and ask you to boot from a diskette. (The hard disk will of course seem inaccessible at this point but Integrity Master can access it anyway.) After you boot, you just use the "ReLoad" menu to restore the "missing partition sector" (AKA Master Boot Record or MBR). Other products call this the master boot record but we prefer to call it the "partition sector" since it contains the hard disk's partitioning information and to more clearly differentiate from the operating system boot sector (usually a DOS boot sector).
What if you get the Monkey virus but you don't have Integrity Master installed already? You could remove Monkey, with an "FDISK /MBR" but then you would lose access to your hard disk. Not a good idea! Removal with Integrity Master is easy. Running IM on your infected PC, you use the Initialize menu to capture your partition sector. IM writes this to part.srl. What IM manages to do at this point is to get you a copy of the uninfected (clean) partition sector (Master Boot Record). You copy this to a diskette (realizing that this diskette is now infected). You now boot from a clean write-protected DOS diskette and run IM from floppy. You can now use the "ReLoad" menu to reload the missing partition sector as before. (You will need to insert the diskette with Part.srl in any one of the floppy drives at the point you do the reload.)
Don't forget to disinfect all your diskettes. The best way to do this is to scan your diskettes (use the scan Multiple diskettes menu option in IM for this or the command IMSCAM a: where "a" is your drive letter.) If the diskette is infected, copy all data to another diskette and trash or reformat the diskette. It's not safe to just remove the infected boot sector since Monkey will damage the file structure on the diskette causing possible data loss, if the diskette is not reformatted.
After reading Wolfgang and Mikko's articles I went and infected Albert (my
working platform :-) )
I started out with an infected floppy. I put it in the drive and turned the system off then back on. I got the typical
Non-Systems disk or disk error Replace and press any key when readymessage. I removed it from the system and continued with the boot-up.
Once the system was up I did a CHKDSK. The system reported a total of 654336 total bytes free instead of the usual 655360. MONKEY-A was there. That is how easy it is to infect the system. No whistles, whiz bangs or gala, just Non-system disk....
I ran F-Prot first.
Clean boot the system (turn the system off and put the disk in the drive then turn it on again. DO NOT USE ALT-CTL-DEL, some viruses can trap this and the infected memory will still be in control). F-Prot will start to come up then all of a sudden this appears in the upper right hand corner of your screen:
Invalid drive in search path Bad command or file nameDon't panic, wait a few seconds and F-Prot continues. Go to the Scan screen run Scan in the Report/Only mode.You will observe the following on your screen:
Scanning MBR of hard disk 1 Master Boot Sector infection: Stoned.Empire.Monkey.A ERROR: No hard disk foundAgain, don't panic! Go back to the Scan screen and go to the Action: block. You can enter either Disinfect/Query or Automatic Disinfection or Automatic Delete. Whatever you choose, enter it. Run Scan again with this and you will get rid of the problem in a flash.
That's it. The system is ready to go. No pain, no strain.
Next, I ran Integrity Master version 2.31b. (NOTE: Read the instructions very carefully. Here is how to set up.)
The setup of Integrity Master is crucial to its proper use. I speak from experience. :-) I had some problems at first because I did not set it up properly. Thanks to Wolfgang Stiller and Bill Lambdin assisting me I now have the proper set up. So, let me go over the set up first with you so those of you running Integrity Master have a proper set up.
I booted the system up with an infected disk containing Stoned.Empire.Monkey.B this time.
I ran IM from the hard drive first. The system stopped and informed me that the virus was there and that I should perform a clean boot. Again, turn the system off and put the bootable, write protected disk with IM in the drive and turn the system on. Run IM. At this point you will get a screen asking you if you want to initialize the system. You can hit any key at this point and it will get you into the menu.
Go to ReLoad. Curser down to the Missing partition (NOT the Partition sector!!). Hit enter at this point. You will see two screens come up. The one on the left explains everything on the screen on the right. Go to the Physical hard disk number (0 to 9). Hit enter. Go to the Physical Drive option and hit 0. (Viruses only infect Drive zero, so no matter how many you have hit zero.)
At this point you will be warned that you are about to over write your partition sector with the version saved in file: A:\IM_HOME\PART.SRL. This is what we want to do. Enter Yes. You will get an error report saying there is an error on C:\IM_HOME. This is alright. Remember, the virus tried to tell you there was no Hard drive, but IM got through it and fixed the missing partition. (NOTE: If you turn off the Report FIle you wont even see this error.) Turn the system off and then back on and you should be ready to go. Do a chkdsk, if you come up with 655360 then that is confirmation you are ready to go about your business.
Both of these products will remove both Monkey-A and Monkey-B in the manner described above.
My thanks to Bill Lamdin and Wolfgang for coming to my rescue, thanks guys. :-)
Well, that's the second issue. What do you think? Please let me know.
You will notice the Hacks, Viruses and Trojan section is rather scant. I could
use some help from folks out there helping me pass the word along. Drop me a
line and let me know what you want to see.
Next issue, I plan on running a treatise of Mikko Hyppönen's on Retroviruses. A brilliant paper on the viruses of today and their aggressive behavior. You won't want to miss it!!
My heartfelt thanks to the folks that help make this issue:
Best to you all from Biloxi, Mississippi,
Woody